Investment advisers are required to evaluate how their advisory activities, arrangements, affiliations, client base, service providers, conflicts of interest and other business factors may cause violations of the Investment Advisers Act. The results of this risk assessment should serve as the basis for drafting and revising compliance policies and procedures that are designed to mitigate, manage and control each risk area in ways that reflect advisory firm’s resources and need for assurance that violations can be prevented or, if violations occur, that such violations will be detected promptly and corrected.
A risk assessment involves identifying and prioritizing issues pertaining to an investment adviser’s operations that may create risk to the interests of the advisory firm and/or its clients. Accordingly, investment advisors need to (1) identify areas of risk that may be part of their advisory firm’s everyday operations; (2) assess whether the controls in place managing or mitigating these risks are adequate; and (3) make modifications to their advisory firm’s compliance policies and procedures as necessary.
Types of Risk
An adviser should consider the following types of risk as potentially harmful to the interests of the advisory firm and its clients.
Operational risk arises from the potential that inadequate information systems, operations systems, transaction processing will result in unforeseen losses.
Compliance risk arises from the possibility that a breach of internal policies or procedures, laws, rules, regulations or ethical standards may impact negatively or disrupt firm operations or condition.
Financial risk is the risk that the advisory firm may be unable to meet its financial obligations.
Reputational risk arises from the potential that inappropriate associated persons or management actions or inactions may cause clients or potential clients to form a negative opinion of the advisory firm and/or its services.
Strategic risk arises from inadequate current and prospective business decisions or responsiveness that might harm the advisory firm’s financial condition or create conflicts among its clients.
The SEC has identified 12 specific areas of concern that should be examined:
- Form ADV/Disclosures
- IPO Offerings
- Soft Dollars
- Trade Ticket
- Trade Execution
- Non-Public Information
- Personal/Proprietary Trading
- Money/Securities to/from Broker/Custodian
Measuring the Risks
The adviser should measure the risks identified by considering the likelihood, impact and probability of a risk event in the absence of controls.
The possibility that a given event will occur.
The effect the event will have on clients or potential clients, disclosures, finances, reputation and regulatory obligations should it occur.
The anticipated frequency of a risk event given the regularity of the activity or process that is associated with the risk.
Prioritizing the Risks
Once the advisory firm has measured the inherent risks (e.g., the likelihood and impact in the absence of controls), the firm should prioritize the risks by addressing the areas that have the greatest exposure.
Managing the Risks
The advisory firm should develop a risk management matrix that maps the firm’s inventory of risks to specific compliance policies and procedures. The firm should periodically, but no less than annually, update the risk management matrix.